iemejia commented on code in PR #3855:
URL: https://github.com/apache/avro/pull/3855#discussion_r3567388063


##########
lang/perl/lib/Avro/DataFileReader.pm:
##########
@@ -207,32 +212,156 @@ sub read_block_header {
 
     return if $codec eq 'null';
 
-    ## we need to read the entire block into memory, to inflate it
-    my $nread = read $fh, my $block, $datafile->{block_size} + MARKER_SIZE
-        or croak "Error reading from file: $!";
+    ## Guard against an attacker-controlled block_size triggering a huge
+    ## allocation for the compressed block itself, before any decompression
+    ## happens. When the reader is configured with block_max_size, reject a
+    ## block whose declared compressed size exceeds that bound up front.
+    my $block_max = $datafile->{block_max_size};
+    if (defined $block_max && $datafile->{block_size} > $block_max) {
+        Avro::DataFile::Error::CompressedBlockSize->throw(
+            "Compressed block size $datafile->{block_size} exceeds the 
configured block_max_size of $block_max bytes"

Review Comment:
   Perl does interpolate a hash-element deref like `$datafile->{block_size}` 
inside a double-quoted string (verified: it prints the value, e.g. `1234`, not 
`HASH(0x...)`), so the message was already correct. I've extracted a 
`$block_size` local and used it in both the comparison and the message for 
clarity.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to